GHSA-3j4x-rwrx-xxj9 | Mondoo Vulnerability Intelligence

GHSA-3j4x-rwrx-xxj9

LOW3.7

mageMagick has a possible use-after-free write in its PDB decoder

Published Feb 25, 2026

Modified 1 weeks ago

Fix available

Details

A use-after-free vulnerability exists in the PDB decoder that will use a stale pointer when a memory allocation fails and that could result in a crash or a single zero byte write.

==4033155==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x5589c1971b24 bp 0x7ffdcc7ae2d0 sp 0x7ffdcc7adb20 T0)

==4034812==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f099e9f7800 at pc 0x5605d909ab20 bp 0x7ffe52045b50 sp 0x7ffe52045b40
WRITE of size 1 at 0x7f099e9f7800 thread T0

Affected Packages(19 packages)

Magick.NET-Q16-AnyCPU

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-HDRI-AnyCPU

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-HDRI-OpenMP-arm64

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-HDRI-OpenMP-x64

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-HDRI-arm64

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-HDRI-x64

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-HDRI-x86

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-OpenMP-arm64

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-OpenMP-x64

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-OpenMP-x86

NuGet

Fixed in:

14.10.3

References

https://github.com/ImageMagick/ImageMagick

https://github.com/ImageMagick/ImageMagick/commit/168ffe18def968f886c023146a478897866fd621

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-3j4x-rwrx-xxj9

https://github.com/advisories/GHSA-3j4x-rwrx-xxj9

https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3

CVSS Analysis

CVSS v3.1

3.7

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

HighAC:H

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

LowA:L

3.7/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Ecosystems

Timeline

PublishedFeb 25, 2026

ModifiedFeb 25, 2026